first commit

compose/keycloak-config/demo-realm.yaml

@@ -0,0 +1,99 @@
+realm: demo
+displayName: Demo
+enabled: true
+registrationAllowed: false
+loginWithEmailAllowed: true
+duplicateEmailsAllowed: false
+resetPasswordAllowed: true
+editUsernameAllowed: false
+bruteForceProtected: true
+
+clientScopes:
+  - name: app:read
+    description: Read access to application resources
+    protocol: openid-connect
+  - name: app:write
+    description: Write access to application resources
+    protocol: openid-connect
+
+roles:
+  realm:
+    - name: app-user
+      description: Standard application user
+    - name: app-admin
+      description: Application administrator
+
+clients:
+  - clientId: demo-app
+    name: Demo Application
+    enabled: true
+    protocol: openid-connect
+    publicClient: true
+    standardFlowEnabled: true
+    directAccessGrantsEnabled: true
+    serviceAccountsEnabled: false
+    redirectUris:
+      - "http://localhost:3000/*"
+    webOrigins:
+      - "http://localhost:3000"
+    defaultClientScopes:
+      - web-origins
+      - acr
+      - profile
+      - roles
+      - email
+    optionalClientScopes:
+      - app:read
+      - app:write
+    protocolMappers:
+      - name: demo-backend-audience
+        protocol: openid-connect
+        protocolMapper: oidc-audience-mapper
+        config:
+          included.client.audience: demo-backend
+          access.token.claim: "true"
+
+  - clientId: demo-app-pkce
+    name: Demo Application (PKCE)
+    enabled: true
+    protocol: openid-connect
+    publicClient: true
+    standardFlowEnabled: true
+    directAccessGrantsEnabled: false
+    serviceAccountsEnabled: false
+    attributes:
+      pkce.code.challenge.method: S256
+    redirectUris:
+      - "http://localhost:3000/*"
+    webOrigins:
+      - "http://localhost:3000"
+    defaultClientScopes:
+      - web-origins
+      - acr
+      - profile
+      - roles
+      - email
+
+  - clientId: demo-backend
+    name: Demo Backend
+    enabled: true
+    protocol: openid-connect
+    publicClient: false
+    standardFlowEnabled: false
+    directAccessGrantsEnabled: false
+    serviceAccountsEnabled: true
+    secret: $(env:DEMO_BACKEND_SECRET)
+
+users:
+  - username: demo-user
+    email: demo@example.com
+    firstName: Demo
+    lastName: User
+    enabled: true
+    emailVerified: true
+    credentials:
+      - type: password
+        value: $(env:DEMO_USER_PASSWORD)
+        temporary: false
+    realmRoles:
+      - app-user

compose/keycloak-config/master-realm.yaml

@@ -0,0 +1,3 @@
+# Minimal master realm patch — do not remove critical built-in elements
+realm: master
+displayName: Master